Nft collector
The nft
collector provides insight into Netfilter rules and actions, by
automatically adding a probe on __nft_trace_packet
. For the nft
collector to
work a special dummy nft
table must be added:
table inet Retis_Table {
chain Retis_Chain {
meta nftrace set 1
}
}
Retis can also install and uninstall the above table automatically by using the
--allow-system-changes
cli parameter.
Arguments
The nft
collector has a single specific argument, --nft-verdicts
. It is used
to choose which Netfilter verdicts will be reported in events. By default it
reports only drop
and accept
verdicts.
Event
table {table name} ({table handle}) chain {chain name} ({chain handle})
handle {rule handle} {verdict} chain {chain name}
With verdict
being the verdict name and an optional (policy)
flag if it is
not explicit and comes from the policy.
Linking an event to a given rule in the Netfilter configuration
The nft
collector will output events like the following:
$ retis collect --allow-system-changes -c nft
53529978697438 [swapper/0] 0 [k] __nft_trace_packet
table firewalld (2) chain filter_PREROUTING (164) accept (policy)
53529978701985 [swapper/0] 0 [k] __nft_trace_packet
table firewalld (2) chain filter_INPUT (165) handle 169 accept
We can see in the above that the table "firewalld" (handle 2) was traversed and accept rules were hit:
- Chain "filter_PREROUTING" (handle 164) default policy (accept) was hit.
- Chain "filter_PREROUTING" (handle 165) had one of its rules hit (handle 169) which is an accept action.
The Netfilter rule set can be dumped including handles, by using the following command:
$ nft -a list ruleset
[...]
table inet firewalld { # handle 2
[...]
chain filter_PREROUTING { # handle 164
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept # handle 197
meta nfproto ipv6 fib saddr . mark . iif oif missing drop # handle 195
}
chain filter_INPUT { # handle 165
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept # handle 169
ct status dnat accept # handle 170
iifname "lo" accept # handle 171
ct state invalid drop # handle 172
jump filter_INPUT_ZONES # handle 176
reject with icmpx admin-prohibited # handle 177
}
[...]
}
[...]
Using this events can be mapped to the nft
configuration. First packet hit
the accept policy below:
chain filter_PREROUTING { # handle 164
type filter hook prerouting priority filter + 10; policy accept; <--
Second packet hit the accept action below:
chain filter_INPUT { # handle 165
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept # handle 169 <--
Note: by using the skb
collector in addition to the nft
one, the specific
packet that triggered those events can be reported.